d39ffc9e25
Specifying the `allowed_organiztaional_units` parameter to a cert auth
backend role will require client certificates to contain at least one of
a list of one or more "organizational units" (OU).
Example use cases:
Certificates are issued to entities in an organization arrangement by
organizational unit (OU). The OU may be a department, team, or any other logical
grouping of resources with similar roles. The entities within the OU
should be granted the same policies.
```
$ vault write auth/cert/certs/ou-engineering \
certificate=@ca.pem \
policies=engineering \
allowed_organiztaional_units=engineering
$ vault write auth/cert/certs/ou-engineering \
certificate=@ca.pem \
policies=engineering \
allowed_organiztaional_units=engineering,support
```
19 lines
265 B
INI
19 lines
265 B
INI
[ req ]
|
|
default_bits = 2048
|
|
encrypt_key = no
|
|
prompt = no
|
|
default_md = sha256
|
|
distinguished_name = dn
|
|
req_extensions = req_v3
|
|
|
|
[ req_v3 ]
|
|
subjectAltName = @alt_names
|
|
|
|
[ dn ]
|
|
CN = example.com
|
|
OU = engineering
|
|
|
|
[ alt_names ]
|
|
IP.1 = 127.0.0.1
|
|
email = valid@example.com
|